In the OASIS specs I can read the following valid nameid-formats:
but can't find urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress.
If I do a fast google search, this format appears several times, including a documentation of Cisco Spark.
Can someone clarify to me this issue? It seems that someone invented this nameid-format and now some IdP/SP using it.
Name ID FormatDefines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
Even though interoperability profiles "require" a NameID, the SAML 2.0 standard does not require it to be present in assertions.
Persistent aliases. Use the persistent name identifier format if you want a user to log in at the identity provider as one user, but log in at the service provider as a different user. Before you can use this name identifier format, you must link the user at the identity provider with the user at the service provider.
@smartin -- You appear to work at OneLogin and I recently submitted a ticket about this :-). I think your hunch is right; someone saw that there is a SAML 1.1 and a SAML 2.0 and assumed that the 1.1 in urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
was a mistake.
Section 8 of the specification document mentions this at the beginning:
The following sections define URI-based identifiers for common resource access actions, subject name identifier formats, and attribute name formats. Where possible an existing URN is used to specify a protocol. In the case of IETF protocols, the URN of the most current RFC that specifies the protocol is used. URI references created specifically for SAML have one of the following stems, according to the specification set version in which they were first introduced:
urn:oasis:names:tc:SAML:1.0: urn:oasis:names:tc:SAML:1.1: urn:oasis:names:tc:SAML:2.0:
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
As the e-mail address identifier was introduced back in SAML v1.1, that would make sense. Check out section 7 intro and 7.3.2 here (https://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf).
So, tl;dr: urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
is in conflict with the SAML 1.1 and SAML 2.0 specs.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With